New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tuf: add a method to retrieve rekor public keys #500
Conversation
return | ||
} | ||
for _, t := range targets { | ||
rekorPubKey, err := cryptoutils.UnmarshalPEMToECDSAKey(t.Target) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would UnmarshalPEMToPublicKey
work, or do we make more assumptions that the Rekor key is an ECDSA key?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wow, I lost track of this comment -- yes! The methods that use Rekor public keys expect ecdsa keys: https://github.com/sigstore/cosign/blob/890cec1f43a8ec0754e0dd5a5d120847b63b6c4e/pkg/cosign/verify.go#L818
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just curious, long-term, how hard would it be to remove the ECDSA requirement?
Signed-off-by: Asra Ali <asraa@google.com> update Signed-off-by: Asra Ali <asraa@google.com>
ping @haydentherapper or maybe this should just go in an internal cosign package? |
I'd prefer this either live in Rekor or sigstore/sigstore. Given it's intertwined with TUF, I think sigstore/sigstore in the best option for now. Long term, I think tlog verification should live in Rekor, certificate verification in Fulcio, TUF and crypto/signature/PEM/etc functions in sigstore/sigstore, OCI in Cosign. |
return | ||
} | ||
for _, t := range targets { | ||
rekorPubKey, err := cryptoutils.UnmarshalPEMToECDSAKey(t.Target) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just curious, long-term, how hard would it be to remove the ECDSA requirement?
@@ -55,6 +55,19 @@ func UnmarshalPEMToPublicKey(pemBytes []byte) (crypto.PublicKey, error) { | |||
return x509.ParsePKIXPublicKey(derBytes.Bytes) | |||
} | |||
|
|||
// UnmarshalPEMToECDSAKey converts a PEM-encoded byte slice into an *ecdsa.PublicKey. | |||
func UnmarshalPEMToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think we should make this a private function of rekorpubs? I'd prefer to encourage package users to use the more generic PEM to crypto.PublicKey method.
|
||
// GetRekorPubs returns a map of rekor public keys keyed by rekor log ID. Each key contains | ||
// the ecdsa public key of the log and the status of the log (e.g. Active, Inactive). | ||
func GetRekorPubs() (map[string]RekorPubKey, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should also document that this caches the public keys. This could be an issue if used by a server that never restarts and never would fetch the latest keys for example.
Do you think we should have two functions, one for caching and one that doesn't cache?
@asraa Good to close in favor of sigstore-go? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I guess it's not really quite needed yet anyway. sigstore-go will use TUF to populate the trust root proto
sigstore#500) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Signed-off-by: Asra Ali asraa@google.com
Summary
I expect that with this method, we can now set sign/verify opts to include RekorPubKeys, so that people can define this themselves when they cosign as a library. This is how the fulcio roots works as well.
Ticket Link
Fixes
Release Note